HEBCA: Higher Education Bridge Certificate Authority

Transforming Education Through Information Technologies

http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)

HEBCA: Higher Education Bridge Certificate Authority

Michael R Gettes

Georgetown University

[email protected]



Technical Policy

PKI is1/3 Technical

and 2/3 Policy?



Multiple CAs in FBCA Membrane

• Survivable PKI

• Cross Certificates

allow for “one-

way policy”

• Directories are

critical in BCA

world.



A Snapshot of the U.S. Federal PKI

Federal Bridge CA

NFC PKI

Higher Education Bridge CA

NASA PKI

DOD PKI Illinois PKI

University PKI

CANADA PKI



EMA Challenge Architecture



What is Cross Certification?

• A Bridge signs a site PKI and vice-versa

• Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line.

• Policy OIDs and Name Constraint controls are in the cross certificates

• Policy OIDs could map to XML documents describing the policy (processed per Carmody)



Path Validation

• Application receives a Certificate

• Finds a path back to signer of Certificate validating the path for policy mappings and name constraints.

• Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever

• Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu



On Policy

• We have a draft HEBCA Certificate Policy

• The HE CP and HEBCA CP are congruent

• The HEBCA CP and FBCA CP are congruent

• We need a HEPKI PA – EDUCAUSE is working

this problem – granted “power” from ACE



NIH- Educause PKI Pilot:NIH- Educause PKI Pilot:Phase Two Phase Two

Electronic Grant Application With Electronic Grant Application With

Multiple Digital SignaturesMultiple Digital Signatures

Peter Alterman, Ph.D.Peter Alterman, Ph.D.Director of OperationsDirector of OperationsOffice of Extramural ResearchOffice of Extramural Research



The GoalsThe Goals1.1. Receive NIH research grant application in Receive NIH research grant application in

electronic form signed with two different electronic form signed with two different digital certificates each; digital certificates digital certificates each; digital certificates issued by Institution, several different issued by Institution, several different vendors represented;vendors represented;

2.2. Verify and validate digital signatures through Verify and validate digital signatures through ACES Certificate Arbitration Module (CAM).ACES Certificate Arbitration Module (CAM).

3.3. (EDUCAUSE Funding and Administrative (EDUCAUSE Funding and Administrative Support, Coordination and Marketing.)Support, Coordination and Marketing.)



Intermediate RequirementsIntermediate Requirements

1.1. Stand up a Higher Education Bridge Stand up a Higher Education Bridge

Certification Authority (HEBCA);Certification Authority (HEBCA);

2.2. Cross-certify the Federal Bridge CA with the Cross-certify the Federal Bridge CA with the

Higher Education Bridge CA;Higher Education Bridge CA;

3.3. Cross-certify Institutions with HEBCA;Cross-certify Institutions with HEBCA;



Participating InstitutionsParticipating Institutions

• University of Alabama-BirminghamUniversity of Alabama-Birmingham

• University of Wisconsin-MadisonUniversity of Wisconsin-Madison

• University of California, Office of the University of California, Office of the PresidentPresident

• University of Texas – HoustonUniversity of Texas – Houston

• Dartmouth CollegeDartmouth College

• (Georgetown University – HEBCA issues)(Georgetown University – HEBCA issues)



The ProblemThe Problem

• Picture/s of piles of grant applications

– About 20,000 6 ft high standing people of paper.

• 1 forest per year just grant apps.

• The Solution: signed, electronic grant application

– Of course!



Phase Two Concept of Operations (CONOPS)Phase Two Concept of Operations (CONOPS)

NIH OER Mail ServerUniversity A

University B

University C

Internet

E-LockAssured OfficeDigital Signed

Grant Appl


Grant Appl


Grant Appl

NIH OER Recipient


Grant Appl

E-LockAssured OfficeCAM-enabled

NIH CAM Server

FBCA

HEBCA

CertStatus

CertStatus

Certificate ValidationUniversity B

Certificate ValidationUniversity A

Certificate ValidationUniversity C



HEBCA Proof of Concept ArchitectureHEBCA Proof of Concept Architecture

NIH User

NIH Trust Domain

NIH TestCA

Directory

Higher Education Trust Domain

iPlanet CA

Alabama

RSA CA

i500Directory

DirectoryDST ARP Test CA

California

Verisign CA

Wisconsin

Firewall

Prototype Federal Bridge Certificate Authority

Cross CertifiedCAs

Directory System Agent

• Cross certificates• CRL

FIP 140-1 L3 Crypto

FIP 140-1 L3 Crypto

• Cross certificates• CRL

• Cross certificates• ARL

RSA CA Entrust CA



HEBCA Proof of Concept CA HEBCA Proof of Concept CA Interoperability ConfigurationInteroperability Configuration

Entrust CA RSA CA

Prototype Federal Bridge Certification Authority

NIH

NIH Test CA

Client California

Verisign CA

Client

Alabama

DST ARP Test CA

Client

Wisconsin

iPlanet CA

Client

Higher Education Bridge Certification Authority

RSA CA



HEBCA Proof of Concept Directory HEBCA Proof of Concept Directory Interoperability ConfigurationInteroperability Configuration

c=US; o=U.S. Government;ou=FBCAIP address: 198.76.35.155DSP port: 102LDAP port: 389TSEL: TCP/IP

Prototype FBCA(Peerlogic)

cn=FBCA_Directory

NIH

c=US; o=U.S. Government; ou=NIH IP address: 207.123.140.5DSP port: 102LDAP port: 389TSEL: TCP/IP

cn=nihstandin

Chaining

c=US; o=edu; ou=HEBCAIP address: 207.123.140.5 DSP port: 102LDAP port: 389TSEL: TCP/IP

HEBCA(Critical

Path)

cn=HEBCA

Alabama

c=US; o=Digital Signature Trust Co; ou=ARP Testing IP address: 208.30.65.30DAP/DSP port: 102LDAP port:389

cn=ARP Test Client CA

California

c= ; o= ; ou= IP address:DAP/DSP port:LDAP port:

cn=

Wisconsin

c= ; o= ; ou= IP address:DAP/DSP port:LDAP port:

cn=

Chaining

Chaining



NIHca

trustanchor

““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)

sender(UA)

receiver(NIH)

NIHdirectory

FBCA

FBCAdir

crosscert

crosscert

DAVECAM

E-Lock

software

ca

directory

HEBCA HEBCAdir

crosscert

UAca

UAdir

issued

get Cert,CRLvia directory chaining

New LDAPRegistry of

Directories for BCAs



DAVE ComponentsDAVE ComponentsCML Libraries [Getronics]

• ASN1 parsing (SNACC)

• S/MIME parsing (SFL)

• Cryptographic engine

• LDAP and local directory retrieval

(SFL)

• Path discovery engine (CPL)

DAVE Functions

• Perform proper sequential

calling of CML functions (i.e.,

the business logic)

• Provide call-back functions

needed by CML functions

• Provide all CAM

communications and protocol

transformations

• Wraps CML functions into an

NT service (multithreaded,

failure and recovery modes,

logging, etc.)



Verification & Validation DetailsVerification & Validation Details

CAM Server Certificate Authority/Validation Request

CAM/CA

OCSP

MsgData

Discovery andValidation

Engine(DAVE)

Agency App/CAM

Search for issuer to validate• CRL• OSCP Responder

If chained, path reversesIf not chained, LDAP queries

Agency App =E-Lock

Assured OfficeCAM-enabled

Passing Certificate

E-Lock Assured Office verifies the signature• Verifies the document has not been changed• Verifies the validity period of the certificate• Once verified, the certificate is sent to the CAM for certificate validation to ensure that it has not been revoked





Bridge CA vs. Shibboleth

• PKI is hard to deploy to end users

• Shib should use BCA aware PKI between servers

• Club Shib will then scale using Policies and

Relationships established by Bridge CA world

• ONE Club Shib managed by policy

• Java 1.4 is Bridge aware. Whistler supposed to be.

Date post:	03-Jan-2016
Category:	Documents
Upload:	stephen-best
View:	24 times
Download:	5 times

HEBCA: Higher Education Bridge Certificate Authority

Documents